News

Researcher booted from iOS dev program over exploit app

By Charles Starrett ● Tuesday, November 8, 2011

Security researcher Charlie Miller has been kicked out of Apple’s iOS Developer Program over a proof-of-concept app that Miller released on the App Store. According to Forbes, Miller discovered an exploit that allows apps to call out to an external server that downloads new, unapproved commands onto the device and can execute them at will. Using the exploit, a malicious app could potentially steal a user’s photos, read contacts, make the phone vibrate or play certain sounds, or repurpose normal iOS apps for nefarious purposes. To demonstrate the exploit, Miller submitted and had approved a fake stock ticker program which was available for a time on the App Store, which led to the termination of his developer agreement with Apple.

“This letter serves as notice of termination of the iOS Developer Program License Agreement…between you and Apple,” Apple’s email to Miller read. “Effective immediately.” The email cited the portion of the agreement that forbid him to “hide, misrepresent or obscure” any part of the app. Miller claims that he was only trying to demonstrate the issue, and argues that his past track record should have been taken into account. “I report bugs to them all the time. Being part of the developer program helps me do that. They’re hurting themselves, and making my life harder,” he told Forbes. “They went out of their way to let researchers in, and now they’re kicking me out for doing research. I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”

Comments

1

How long has “don’t kill the messenger” been part of basic human knowledge?

Posted by Code Monkey in Midstate New York on November 8, 2011 at 5:52 PM (CST)

2

I suppose he put Apple in the uncomfortable position of having to enforce the rules. Still seems hypocritical when they’re giving internships to jailbreak developers.

Posted by Paul on November 8, 2011 at 7:25 PM (CST)

3

This was clearly little more than a publicity stunt, at best, since he went about the process in the completely opposite way from which he should have.

He released a rogue app into the App Store back in September, which was approved by Apple and became available to anybody who wanted to download it. He then waited until October 14th to actually inform Apple of the vulnerability.

Even had he been looking to expose a flaw the App Store review process (which shouldn’t be the real point here), he should have set the app for a future release date (developers can decide when to actually “publish” their app once it’s been approved), and then notified Apple immediately after it was approved—not at least two weeks later.

In fact, a more cynical person could come to the conclusion that it was an attempt to actually distribute malware through the App Store under the guise of “security research.”

Posted by Jesse Hollington in Toronto on November 9, 2011 at 12:18 PM (CST)

4

@3: I disagree. I’d argue that he did it exactly right. It was approved, it was available for anyone to download, and nobody, not least of all Apple, noticed. That is the lesson here, and one that no one, particularly Apple, would have gotten from a quiet behind the scenes notification.

Corporations have shown time and time again that they do not respond to being quietly informed about their vulnerabilities. These “publicity stunts” have been shown to be the only reliable remedy against the bean counters.

Next time he’ll be left to do what many other security activists do: just publish the exploit and the code to exploit the exploit for any and all to take advantage of.

Posted by Code Monkey in Midstate New York on November 9, 2011 at 2:36 PM (CST)